Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-sdk-go-v2's default credential chain behaviour differs from botocore #2794

Closed
2 of 3 tasks
bhops opened this issue Sep 16, 2024 · 2 comments
Closed
2 of 3 tasks
Assignees

Comments

@bhops
Copy link

bhops commented Sep 16, 2024

Acknowledgements

Describe the bug

I ran into an interesting set of behaviour trying to debug why something using the aws-sdk-go-v2 was resulting in different AWS credentials being used under identical circumstances as awscliv2. After some pretty extensive debugging I found this particular section of code in botocore.

This code appears to disable the Environment Variables provider in the Python SDK when AWS_PROFILE is set. This does not happen in aws-sdk-go-v2. It's not clear to me which SDK is performing the correct behaviour.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

Setting AWS_PROFILE should take precedence over AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE as it does with botocore and awscli when using the default credential chains.

Current Behavior

Setting AWS_PROFILE has no effect when AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are both set, and no warning or error is displayed warning the user that the usage of AWS_PROFILE was ineffective.

Reproduction Steps

This can be reproduced with code like the following

cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
  return nil, err
}

and setting the AWS_ROLE_ARN, AWS_PROFILE and AWS_WEB_IDENTITY_TOKEN_FILE environment variables. Regardless of what AWS_PROFILE is set to, the Web Identity credentials will be used and no error will be raised.

Possible Solution

The go SDK should mirror the behaviour of botocore, allowing AWS_PROFILE to override other credentials set via environment variables.

Additional Information/Context

I was able to address this by changing the code to

	var loadOptions = []func(*config.LoadOptions) error{}
	awsProfile := os.Getenv("AWS_PROFILE")
	if awsProfile != "" {
		loadOptions = append(loadOptions, config.WithSharedConfigProfile(awsProfile))
	}
	cfg, err := config.LoadDefaultConfig(context.TODO(), loadOptions...)
	if err != nil {
		return nil, err
	}

but it feels like the different SDKs should have similar behaviour

AWS Go SDK V2 Module Versions Used

go.mod contents for github.com/aws/*

github.com/aws/aws-sdk-go-v2 v1.30.5
github.com/aws/aws-sdk-go-v2/config v1.27.33
github.com/aws/aws-sdk-go-v2/service/cloudformation v1.53.7
github.com/aws/smithy-go v1.20.4
github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect

Compiler and Version used

go1.22.1

Operating System and version

n/a

@bhops bhops added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 16, 2024
@bhavya2109sharma bhavya2109sharma self-assigned this Sep 17, 2024
@bhavya2109sharma bhavya2109sharma removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 17, 2024
@bhavya2109sharma
Copy link
Contributor

Hello @bhops

Thanks for reaching out.
You are right in making this point but there is no default behavior which SDK's should follow. For the botocore it might be the case to give more precedence to AWS_PROFILE but it is not a universal said rule for other SDK's.
It will stay the same until any further communication.

Thanks
~Bhavya

Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants